Rewterz Threat Alert – DarkRadiation using Bash Ransomware – Active IOCs

Severity

Medium

Analysis Summary

A recently discovered Bash ransomware piqued our interest in multiple ways. Upon investigating, we found that the attack chain is fully implemented as a bash script, but it also seems that the scripts are still under development. Most components of this attack mainly target Red Hat and CentOS Linux distributions; however, in some scripts, Debian-based Linux distributions are included as well. The worm and ransomware scripts also use the API of the messaging application Telegram for command-and-control (C&C) communication. The “downloader.sh” is an SSH worm that accepts base64-encoded configuration credentials as an argument. These credentials would either be dumped by the attacker after the initial foothold on a victim’s systems or used as a brute-force list that targets systems with weak password protection. Essentially, the malware checks if the given configuration is set to use an SSH password attack or an SSH key base attack — it can also test SSH passwords or SSH keys against the targeted IP address. Upon successful connection, the malware downloads and executes ransomware on a remote system. 

Impact

• File Encryption
• Credential Theft

Indicators of Compromise

MD5

• 219202aa2355b68ee4ea61056fb13b37
• ae6eeaa09f5fa4c937928430c397b1ff
• 6b2f67ac804c04cce6b1404a27013ca2
• 43530cae846e5a334ad9fe8c0ebcd52a
• 43530cae846e5a334ad9fe8c0ebcd52a
• f64a6a99c383d72701829ae11a7deb04
• f42542edd0ab744e728e8386bd990a27
• 3402c9373726396598011ef6ec1ea243
• 8224c9faafd5f4a8678bfa511fc4b5e2
• 5c215494d938fbab70841de4a11e805e
• 9885d42b645604eac9cf8eb51356d34e
• f4ed5ca9a00b08068b8f625299e8f992
• b5b6f49805dcb7facfa1a4f88d6c9998
• 94a4295cd2d0df00c570a41663729f2b

SHA-256

• d0d3743384e400568587d1bd4b768f7555cc13ad163f5b0c3ed66fdc2d29b810
• 652ee7b470c393c1de1dfdcd8cb834ff0dd23c93646739f1f475f71a6c138edd
• 9f99cf2bdf2e5dbd2ccc3c09ddcc2b4cba11a860b7e74c17a1cdea6910737b11
• 654d19620d48ff1f00a4d91566e705912d515c17d7615d0625f6b4ace80f8e3a
• 79aee7a4459d49dc6dfebf1a45d32ccc3769a1e5c1f231777ced3769607ba9c1
• 79aee7a4459d49dc6dfebf1a45d32ccc3769a1e5c1f231777ced3769607ba9c1
• da68dc9d5571ef4729adda86f5a21d3f4478ddbae2de937f34f57f450d8a3c76
• 3bab2947305c00df66cb4d6aaef006f10aca348c17aa2fd28e53363a08b7ec68
• 0243ac9f6148098de0b5f215c6e9802663284432492d29f7443a5dc36cb9aab5
• e380c4b48cec730db1e32cc6a5bea752549bf0b1fb5e7d4a20776ef4f39a8842
• fdd8c27495fbaa855603df4f774fe86bbc21743f59fd039f734feb07704805bd
• 7a15e51e5dc6a9bfe0104f731e7def854abca5154317198dad73f32e1aead740
• c869261902a1364dd3decb2f8dce54b81621f20abd7204a427a3365c8dcc9d78
• 503276929ce5c56c626eaa5c3aca0e0160743bf3c8d415042dc3f9bb8c8b44a2
• 847d0057ade1d6ca0fedc5f48e76dd076fa4611deb77c490899f49701e87b6dd

SHA1

• e437221542112affc30e036921e4395b72fe6504
• 5b231b4d834220bf378d1a64c15cc04eca6ddaf6
• 1bea1c2715f44fbfe38c80d333dfa5a28921cefb
• ff1dd49ddc5e5777178d674baac457346edfaab3
• ff1dd49ddc5e5777178d674baac457346edfaab3
• 36407477fb8d38549015cc158f09bdff7df80f3c
• ae06fe75f220927175caa58475a743d40ca6f592
• 919b574a4d000161e52d57b827976b6d9388b33f
• 215d777140728b748fc264ef203ebd27b2388666
• 45b57869e3857b50c1d794baba6ceca2641a7cfa
• a4203ca2686ef6983f3e32b552177ffe29b53380
• 2adf0a05fa59961f221bba9317fb65528c91c74f
• d76d08b1127b40983619ff11a314d49a1473d7c4
• 26ab968b9448ebb8eb98e1fcb22ebf35174a024e

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.